CVE-2025-12182
BaseFortify
Publication date: 2025-11-15
Last updated on: 2025-11-15
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | qi_blocks | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Qi Blocks plugin for WordPress is due to a missing capability check in the resize_image_callback() function. This means the plugin does not properly verify if a user has permission to resize a specific image attachment. As a result, authenticated users with Contributor-level access or higher can resize arbitrary images in the media library that belong to other users.
How can this vulnerability impact me? :
This vulnerability can allow attackers with Contributor-level access or above to resize images they do not own, leading to unintended file writes, increased disk consumption, and abuse of server resources by processing large images. This could degrade server performance and potentially disrupt service availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Qi Blocks plugin to a version later than 1.4.3 where the missing capability check on the resize_image_callback() function is fixed. Additionally, restrict Contributor-level and higher user permissions carefully and monitor media library usage to detect any unusual activity related to image resizing.